blackwiggle
19th May 2011, 02:19 AM
I just saw this posted and have cut and pasted the original post :frown:
I suggest you repeatable visit the link below to the original post, as it has been update several times over the last few hours with information regarding the response from SONY when the poster told them about the exploit.
Apparently SONY has shut down the Web based PSN login / Password recovery function, it is now down for maintenance
.........................
Quote:
I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe.
A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth.
It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.
I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account’s email is one that cannot be affiliated with or otherwise traced to you.
While we originally assumed this was a poor hoax designed only to stir the community into another frenzy, the individual who we are in contact with requested just two pieces of information from us: this being an account email and the date of birth used for that account. We promptly created a new account via us.playstation.com and provided the individual with the email address and date of birth used.
Roughly a minute later they requested that we try to login with the password we used for the account (which they did not know at any point), and sure enough, we were presented with an invalid username and/or password prompt.
In addition to this, within a few minutes we received an email from Sony stating the following:
This email confirms that your PlayStation(R)Network password account has been changed successfully.
If you did not change your password…
This email has been sent to you because the password for the relevant PlayStation(R)Network account has been changed.
If you did not change your password, please contact Customer Support at the following address:
networksupport@uk.playstation.com
The PlayStation(R)Network Team
While we will not reveal specific details regarding how the exploit is performed for obvious reasons, we can say that the exploit involves a vulnerability in the password reset form currently implemented, not properly verifying tokens.
http://sony.nyleveia.com/2011/05/17/warning-all-psn-users-your-accounts-are-still-not-safe/
I suggest you repeatable visit the link below to the original post, as it has been update several times over the last few hours with information regarding the response from SONY when the poster told them about the exploit.
Apparently SONY has shut down the Web based PSN login / Password recovery function, it is now down for maintenance
.........................
Quote:
I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe.
A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth.
It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.
I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account’s email is one that cannot be affiliated with or otherwise traced to you.
While we originally assumed this was a poor hoax designed only to stir the community into another frenzy, the individual who we are in contact with requested just two pieces of information from us: this being an account email and the date of birth used for that account. We promptly created a new account via us.playstation.com and provided the individual with the email address and date of birth used.
Roughly a minute later they requested that we try to login with the password we used for the account (which they did not know at any point), and sure enough, we were presented with an invalid username and/or password prompt.
In addition to this, within a few minutes we received an email from Sony stating the following:
This email confirms that your PlayStation(R)Network password account has been changed successfully.
If you did not change your password…
This email has been sent to you because the password for the relevant PlayStation(R)Network account has been changed.
If you did not change your password, please contact Customer Support at the following address:
networksupport@uk.playstation.com
The PlayStation(R)Network Team
While we will not reveal specific details regarding how the exploit is performed for obvious reasons, we can say that the exploit involves a vulnerability in the password reset form currently implemented, not properly verifying tokens.
http://sony.nyleveia.com/2011/05/17/warning-all-psn-users-your-accounts-are-still-not-safe/